WIREDGOV

Blog posted by: Elizabeth Denham, Information Commissioner, 07 November 2016.

‘We think consumers deserve a greater level of information and protection, but so far Facebook hasn’t agreed’

Eight weeks ago I said my office would look into the approach WhatsApp had decided to take in sharing customer information with Facebook. It’s one of the roles of the Information Commissioner to pull back the curtain on how organisations use personal data, and I wanted to give you an update on what we’ve done so far.

I had concerns that consumers weren’t being properly protected, and it’s fair to say the enquiries my team have made haven’t changed that view. I don’t think users have been given enough information about what Facebook plans to do with their information, and I don’t think WhatsApp has got valid consent from users to share the information. I also believe users should be given ongoing control over how their information is used, not just a 30 day window.

It’s important that we have control over our personal information, even if services don’t charge us a fee. We might agree to a company using our information in a certain way in return for us getting a service for free, but if that information is then exploited more than agreed, for a purpose we don’t like, then we’re entitled to be concerned.

We’ve set out the law clearly to Facebook, and we’re pleased that they’ve agreed to pause using data from UK WhatsApp users for advertisements or product improvement purposes.

We have now asked Facebook and WhatsApp to sign an undertaking committing to better explaining to customers how their data will be used, and to giving users ongoing control over that information. We also want individuals to have the opportunity to be given an unambiguous choice before Facebook start using that information and to be given the opportunity to change that decision at any point in the future. We think consumers deserve a greater level of information and protection, but so far Facebook and WhatsApp haven’t agreed. If Facebook starts using the data without valid consent, it may face enforcement action from my office.

We’ll keep pushing on this, both from our office and alongside other data protection authorities across Europe, notably the Irish Data Protection Commissioner, where Facebook’s EU headquarters are based.

We all rely on digital services for important parts of our lives, whether it’s keeping in touch with loved ones or doing our weekly shop. But our digital comings and goings create rich portraits of our lives, and vague terms of service when we sign up aren’t giving us the protection we need.

It’s a particular concern when company mergers mean that vast amounts of customers’ personal data become an asset to be bought and sold. We’re seeing situations where companies are being  bought primarily for this data, and when it is combined with information the purchasing company already holds, there’s a danger that consumers will have little control as datasets are matched and intrusive details revealed.

It’s a problem that is broader than data protection, and we’re speaking with industry, competition regulators and consumer groups to see how we can make people clearer on the law. We’ll be publishing a report on this in the new year, outlining our concerns and discussing solutions.

Elizabeth Denham was appointed UK Information Commissioner on 15 July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada.